The Double Edge Sword of OSINT in Cybersecurity

Open-Source Intelligence or “OSINT” is a powerful weapon in the arsenal of actions organizations can employ to bolster their cyber security efficacy.  And, because it is one of the more proactive methodologies for preempting cyber-attacks, it is increasingly being integrated into cyber security programs.  CustomerMarketInsights.com analysis reveals a large market space for OSINT solutions – around $7B today – and projects the market to grow at 28% CAGR annually through 2030 when it is expected to reach $36B.

Law Enforcement, Government Intelligence Agencies and Defense Intelligence Agencies are by far the largest customers for OSINT technologies.  However, business and non-profit organizations are increasingly embracing OSINT in attempts to get ahead of the mounting waves of data breaches.   Unfortunately, threat actors have also discovered the benefit of OSINT, a methodology which powers the epidemic of social engineering attacks, making OSINT a double-edged sword.  Especially when, as with so many novel solutions, the benefits and purported capabilities of OSINT solutions to defend against cyber-attacks are overstated.

OSINT as a defensive or preemptive tactic is not a new development.  In fact, it is something that has been used at great length by national security, law enforcement and business intelligence agencies for many decades.  Analysts in government and business have derived value from OSINT to gather and analyze information for purposes of gaining advantage when it comes to preparing defenses against a broad array of threats and challenges against their respective adversaries.  Others such as journalists, activists, scientists, and business analysts have also leveraged OSINT practices to gain perspective and advantage useful in advancing their respective goals. 

In more recent years, threat actors have been successfully harnessing the power of OSINT to plan and deploy attacks against their targets.  Whether it be hostile governments seeking to undermine the function of their geopolitical rivals or hackers seeking to penetrate secure systems for financial gain, industrial espionage or simply for wreaking malicious havoc, the bad guys have been effectively using open-source intelligence to achieve their nefarious objectives.  OSINT in the hands of hackers is behind the plague of Social Engineering attacks powering the tsunami of data breaches occurring daily.   These same tactics and tools once used to protect have been turned around by threat actors, using OSINT to undo the best defenses of all types of organizations.

As a result of this “hackers’ jiu jitsu”, information security professionals and those charged with protecting the cybersecurity of their organizations are being solicited by an emerging crop of solution providers offering technologies and services designed to identify and interrupt the use of OSINT in the perpetration of attacks and other cyber criminal activity.  The viability and efficacy of the products and services offered run the gamut in terms of success at preventing threats.  Organizations are already spending significant sums on deploying OSINT solutions, often without fully understanding the shortcomings of the strategy.   Shortcomings that reflect how OSINT is used by their adversaries and how to deal with that fact.

This document examines how OSINT is used and summarizes the evolution of OSINT from a legitimate and useful practice engaged by the lawful, to a powerful tool used by bad actors with bad intent.  More importantly, the document will illustrate how the predominant OSINT solutions available in the market fall short of preventing the damage they’re designed to avoid (especially for the cost).  Finally, it identifies the missing element from so many cyber security practices – particularly those focused on OSINT as the primary factor in delivering effective information security – and explains how to integrate this missing element in ways that render OSINT strategies far more effective than they currently are.

The Origin of OSINT and its Evolution to Becoming a Potent Threat

The origin of OSINT in the United States can be traced back to the creation of the Foreign Broadcast Monitoring Service in 1941.  During World War II, the FBMS monitored and analyzed the news media of the Axis power countries to glean strategically important information about the movements and motivations of the enemy.  Of course, the data the FBMS gathered was nothing approximating the scope and volume of today’s globalized, digital stores of information.  Back then, there was a finite number of sources for open-source data collection.  The much narrower field of broadcast media outlets, newspapers, periodicals and public records (compared to today) allowed for the manual collection of intelligence data. 

By contrast, the contemporary, globally-networked digital environment offers a seemingly infinite profusion of publicly available data – from social media to Data Brokers and People Search Sites, as well as enormous volumes of public data stored in digital databases online.   According to Maximize Market Research, there are presently as many as 5000 data brokers with total market capitalization of $252 billion.  And the number is projected to grow at CAGR of 7.25% to $411 billion by 2030. 

There are thousands of People Search Sites in operation as well with many new ones coming online every day.  People Search Sites process more than 300 million searches per day for personal names and information according to Kurt Knutsson in his CyberGuy Report. 

From its early origins, OSINT was an activity used by governments and law enforcement agencies seeking to predict or preempt geopolitical aggression and criminal activity.  The use of OSINT was ramped up exponentially following the 9/11 attacks on the US.  Following the attacks, the 9/11 Commission recommended the creation of an open-source intelligence agency to monitor the Internet, databases, press, radio, television, video, geospatial data, photos and commercial imagery terror groups leveraged in perpetuating attacks.  By collecting and analyzing the available open-source intelligence, analysts were able to identify patterns and provide predictive advisories to effectively interrupt subsequent attacks.

Since the 9/11 attacks in 2001, the explosion of digital data sources and the exponential growth in the volume of available for law enforcement and national security forces to capture and analyze has complicated efforts to effectively derive effective protections against future attacks.  Compounding this challenge, threat actors have turned this strategy against those charged with protecting legitimate interests.  In short, the bad guys learned they could access OSINT to their advantage.

How Open Source Intel Powers Social Engineering

Threat actors leverage OSINT to collect information about the networks, systems and employees of their targets.  The intelligence they gather from open sources is being used to isolate vulnerabilities and derive attack vectors.  The more sophisticated hackers look for weaknesses like exposed server ports in secure systems against which they can launch brute force attacks.  They look for weaknesses in public-facing systems they can exploit using DDos attacks. 

The less technically proficient hackers don’t even waste time seeking such technical vulnerabilities to exploit using zero-day exploits, malware and other labor-intensive practices.  Rather, they use OSINT to bypass cyber security measures altogether. It is surprisingly effective as evidenced by the near daily data breaches occurring at even the largest, most nominally secure organizations. 

In 2023, the United States experienced more than 3,200 data breaches, which was a 78% increase from 2022  according to the Identity Theft Resource Center.  That is roughly 9 breaches for every day of the year!

Threat actors are routinely using OSINT to perform reconnaissance, gathering detailed information about employees of target organizations including names, job titles, contact information and other information found easily on public facing websites.  They also use unsecured social media accounts as well as data profiles from Data Brokers, People Search Sites and other low-to-no cost open sources.  This information is then used to identify the correct targets, and OSINT is then leveraged to undertake further research on these targets with data available on social media sites, public records and other open-source data pools.  A significant amount of OSINT is baked into highly contextual messages delivered via phishing, spear phishing, password cracking and other social engineering vectors.

As the above graphic illustrates, threat actors are relying on OSINT to develop sophisticated attacks well in advance of approaching hardened cyber security protections.  As the next segment of this paper shows, information security professionals are deploying protective aspects of OSINT too late in the process to be fully effective.   Defensive OSINT activities need to be applied much earlier in the process to be effective.

OSINT Solutions for Cyber Security and their Inherent Weaknesses

The burgeoning crop of OSINT solution providers – it should be noted – don’t focus their products and services expressly on corporate cyber security.  In fact, for most, the use case for protecting cyber security is only one facet of their offerings.  OSINT solutions can be focused on such things as marital infidelity investigations, custody/family law cases, insurance fraud prevention and others.  But for the purposes of this document, we’ll focus only on the OSINT strategies applicable to cyber security.

Generally speaking, info sec OSINT aggregates public data on consumer records, social media, vehicle data, public cameras, and other public information to derive insights and analysis of potential threats to a client organization.   The goal for OSINT used by cyber defenders is to discover publicly available information related to their organization that could be used by attackers.  They use this information to inform actions necessary to prevent attacks.

The following recommendations for protecting against OSINT attacks were culled from the marketing sites of several leading OSINT solution providers (not named for obvious reasons). These solutions provide for:

Training of Employees: Providing training to help employees recognize and respond to potential threats. This is often done through an internal program, by hiring external consultants, or by using an interactive online platform.

Limiting Sensitive Information: Urging caution about sharing sensitive company information on social media.

Fostering Wariness of Communications: Approaching calls, emails, and texts that prompt risky actions with skepticism and questioning the legitimacy of inbound emails/texts as a discipline.

Network Segmentation: Separating company resources into different subnets and restricting data sharing between them.

Implementing the Principle of Least Privilege: Granting users only the access necessary for their job responsibilities.

Using Dual SIM Phones: Utilizing a separate number from a different provider for services that require secure access.

Monitoring the Digital Footprint: Implementing digital footprint monitoring to reduce the risk of OSINT-based threats.

Strengthening Authentication Mechanisms: Using robust authentication methods to safeguard an organization.

Conducting Vulnerability Scanning and Patching: Regularly checking for vulnerabilities and apply necessary patches.

Managing Third-Party Risk: to address and manage risks associated with third-party vendors.

Individually, every one of these activities represents a useful facet of any cyber security practice.  And even those organizations that do not employ an OSINT solution as part of their cyber security program likely already observe most if not all these recommendations.  For those organizations that elect to manage an OSINT program internally as part of their broader cyber security practices, the costs can mount quickly.

OSINT solution provider Skopenow provides an illuminating example of what it might cost a large enterprise organization to stand up a manual OSINT process in its article titled, “The ROI of Automated OSINT, Part II: Corporate Security Threat Detection and Investigation”. 

Manual OSINT Process:

• Estimated hourly cost of each security analyst and the investigator, including BLS-estimated salary: $53 per hour
• Annual continuous threat detection cost: $880,000 (8 analysts x 2,080 work hours per year x $53 per hour)
• Annual deep dive investigations cost: $55,000 (1,040 hours per year x $53 per hour)
• Total annual manual OSINT cost: $935,000 ($880,000 + $55,000)

Not an insignificant expense for only one small facet of any comprehensive cyber security practice. 

The article also estimates the costs associated with an automated OSINT process wherein the organization’s analysts utilize software to receive potential threat alerts (as identified by an AI) and then use automation to perform investigations.  Threat risk and detection, automated escalation and response, analytics and reporting are all typical features included in automated OSINT solutions. 

This model’s costs were estimated thusly:

• Eight security analysts, each costing $53 per hour
• Five automated OSINT platform seats costing $150,000 per year
• Annual continuous threat detection cost: $15,800 (1 hour per day x 365 days per year x $53 per hour)
• Annual deep dive investigations cost: $2,750 (1 hour per week x 52 weeks per year x $53 per hour)
• Total annual automated OSINT cost: $168,550 ($15,800 + $2,750 + $150,000)

While significantly lower cost than the manual model, this is still a cost intensive activity that is likely beyond what is affordable to all but the largest organizations with the biggest cyber security budgets.  Especially since with or without an OSINT component, most organizations are still very likely to fall victim to cyber-attack.

The Missing Element in OSINT as a Cyber Security Practice

Privacy Bee for Business doesn’t contend that organizations shouldn’t invest in some level of open-source intelligence activity.  Clearly, preventative efforts are worthwhile and developing awareness of potential threats on the horizon is certainly more effective than being caught unprepared for inevitable risks. 

What Privacy Bee for Business does suggest is that it is preferable to deprive threat actors of the capacity to use OSINT against one’s organization in the first place. 

What Privacy Bee for Business does suggest is that it is preferable to deprive threat actors of the capacity to use OSINT against one’s organization in the first place.  And this is a goal that is far more cost-effective using Privacy Bee for Business solutions to identify and neutralize the unsecured external data which is precisely what threat actors use to plan and mount their attacks. 

The vast volumes of unsecured external data are the very intelligence assets targeted by OSINT in the hands of bad actors.  Scraping personally identifiable information (PII) from social media, corporate websites, public records, and purchasing contextual PII from Data Brokers and People Search Sites is what powers the social engineering scams that make up the majority of all data breaches today.  Yet, OSINT products, software and services do nothing to interdict the availability and capture of external data.  External data privacy is the missing element from most cyber security practices today. 

All existing defense strategies – network encryption, zero-trust protocols, multi-factor authentication, endpoint security, firewalls, physical security measures/cameras, IAM, user training/awareness, etc. – are rendered impotent in the absence of stringent external data privacy management.  

Organizations must necessarily employ some level of OSINT in a defensive fashion.  At the same time, however, they can and must deny their adversaries the potency of OSINT as a hacker’s tool by focusing on external data privacy.  By removing all the actionable intelligence threat actors are actively seeking to obtain by turning OSINT into a tool for criminal activity.

External Data Privacy Management Deprives Threat Actors of OSINT as an Effective Tool

Managing and protecting access to the PII of every single employee and those of all third-party affiliates (like vendors and other partners) may seem like an overwhelming challenge.  Knowing there are thousands of People Search Sites and Data Brokers, scores of social media platforms, powerful search engines and tons of publicly searchable data makes it an even more sobering prospect. 

The good news is that organizations can identify and neutralize the vast majority of employee and business partners’ PII from open-source data stores.  Even better, it costs nothing to use Privacy Bee for Business tools to identify all the exposed, unsecured external data hackers seek when they perform OSINT activities.  Once any organization is able to clearly see how exposed it is to OSINT attacks, it is almost always anxious to begin the exposures removal process which is where Privacy Bee for Business earns its modest fees.  Best of all, the cost of removal service is a fraction of the cost of most OSINT solutions on the market.

No Cost Tools for Identifying Unsecured External Data  

Privacy Bee’s Employee Risk Management (ERM) solution is a no-cost scanning tool delivering visibility into an organization’s External Data Privacy risk.  It takes very little time to load and configure the workforce in the system usually via exported CSV from the HR department.   Privacy Bee can then immediately begin scanning hundreds of external sources, searching for any exposed privacy risks on each employee. Any discoveries are flagged as an exposure and affect that person’s aggregated Privacy Risk Score.

ERM helps quickly paint a full picture of an organization’s real-time cyber risk from external privacy exposures.

Privacy Bee’s External Data Privacy Audit (EDPA) is the companion web-based privacy app for quickly and easily scanning employees’ PII exposure.  This no-cost tool set lets organizations build an extensive audit, identifying privacy exposures and vulnerabilities, then extrapolates potential financial impact across the company. It’s a critical view into risk assessment, operational inefficiencies, emerging cyber risk, and External Data Privacy management.

The EDPA provides unified employee audits, bringing together real-time dark web monitoring with 24/7 active clear web monitoring (Data Brokers, People Search Sites, paste sites, and more). Delivering a centralized view into public employee exposures, and insight into the tangible financial impact it has within your organization.

Privacy Bee’s Vendor Risk Management (VRM) extends the privacy bubble to targets outside an organization but who may have a degree of access to your sensitive information systems. This solution evaluates all third-party vendor/partner organizations for Electronic Data Privacy risks.  It then reports simple Privacy Risk Scores on each company, highlighting each vendor’s risk at a glance.   Analytics further break vendors down by department, risk tier, and more, with all thresholds fully customizable. While most vendor risk software stops at the report, Privacy Bee VRM keeps going, offering to work with all 3rd party vendors 1-on-1 to decrease their vulnerabilities, effectively de-risking your company at no cost to your cyber security budget.

While all these (and other) audits and monitoring services are for use at no cost, removing employee PII from all unsafe locations on the net is what reduces the risk and the attack surface.  While this is a function your organization could take on as an internal activity, most organizations prefer to outsource the removal service for your employees and vendors identified as at risk to Privacy Bee.  Privacy Bee has teams of experts working 24x7x365 to scrub client employees’ PII from all unsafe corners of the internet.

Engaging the Privacy Bee for Business solution offers many other ancillary benefits as well such as eliminating physical threats to executives and other high profile members of your team.  It helps reduce unwanted spam and telemarketing that sap productivity.  It helps curb HR poaching, saving significantly on HR and lost opportunity costs. It helps foster a culture of data privacy that makes your organization more secure and a much more attractive partner to prospective customers.

For a very detailed calculation on the return on investment (ROI) of the Privacy Bee for Business platform, read the white paper “Calculating the ROI into External Data Privacy Management Solutions”.  It provides values gathered to help derive an accurate ROI calculation for investing in Privacy Bee for Business to protect against data breaches powered by social engineering attacks relying on unsecured external data.